Traditional advertising has been done using traditional media, such as print advertising, TV, and radio. Currently, media consumption is transitioning from conventional communication means—such as broadcast television and radio, print media, and postal mail—to electronic media distributed, for example, over the Internet and via electronic mail (i.e., email). However, advertising spending continues to focus heavily on traditional communications means. Web-based and electronic communications are becoming the industry standard for personal and business use. Increasingly, news, advertisements, business communications, personal communications, and other information (collectively hereinafter also referred to as “media consumption”) are being created, stored, and transmitted electronically via computing networks, such as the Internet. A computing network, as used herein, refers to a collection of desktop computers, laptop computers, mobile phones, handheld or mobile computing devices (collectively “personal computing device” or “computing device”) interconnected by communication channels that facilitate communications among users and allows users to share resources. At work, employees access such networks, along with their associated corporate computing resources from their local computing device, on a daily basis in order to perform their jobs. Away from work, people similarly access such networks and resources, typically through home, mobile, or remote connections. Numerous types of electronic and network connections and communication channels are ubiquitous in the industry and well known to one familiar with this technology and industry. For example: wired and wireless connections, a local area network (LAN), a wide area network (WAN), a virtual private network (VPN), high speed connections of various types, intranets, extranets, the Internet, and the like.
Online advertising often prices ads on a per impression basis, where an impression is a single instance of displaying an ad to an individual. There has been some progress in tailoring ad impressions to individuals based on some limited information about an individual, such as based on websites they have visited, interests, demographic information, or the like. However, advertisements for health insurance, medications, or other healthcare products or services may not lend themselves to easily targeting individuals likely to be interested in the advertised product or service. Targeting individuals based on needs or interests related to healthcare may face additional hurdles not addressed in traditional online advertisement mechanisms. For example, in the U.S., the Health Insurance Portability and Accountability Act of 1996 (HIPAA) places certain restrictions on how healthcare information may be accessed, shared, and used.
Paying for an impression to an individual that is not interested in the product or service, unlikely to be interested in the future, or has likely already purchased the product or service, may be a wasted impression that costs the advertisement campaign precious capital. Furthermore, the ability to serve up individual impressions on a screen to a specific individual presents a unique opportunity and challenge not addressed in traditional media campaigns. As such, there remains a need to create strategies and technologies that deliver individual advertising experiences to consumers to spread the word about a healthcare product or service in a cost effective manner.
Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic healthcare transactions and national identifiers for providers, health insurance plans, and employers.
Title II of HIPAA defines policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information, as well as outlining numerous offenses relating to healthcare and sets civil and criminal penalties for violations. It also creates several programs to control fraud and abuse within the healthcare system. However, the most significant provisions of Title II are its Administrative Simplification rules. Title II requires the Department of Health and Human Services (HHS) to draft rules aimed at increasing the efficiency of the healthcare system by creating standards for the use and dissemination of healthcare information.
These rules apply to “covered entities” as defined by HIPAA and the HHS. Covered entities include health plans, healthcare clearinghouses, such as billing services and community health information systems, and health services providers that transmit healthcare data in a way that is regulated by HIPAA.
Per the requirements of Title II, the HHS has promulgated five rules regarding Administrative Simplification: the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule. The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by “covered entities” (generally, healthcare clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions.) By regulation, the Department of Health and Human Services extended the HIPAA privacy rule to independent contractors of covered entities who fit within the definition of “business associates.” PHI is any information held by a covered entity which concerns health status, provision of healthcare, or payment for healthcare that can be linked to an individual. This is interpreted rather broadly and includes any part of an individual's medical record or payment history. Covered entities must disclose PHI to the individual within 30 days upon request. They also must disclose PHI when required to do so by law, such as when reporting suspected child abuse to state child welfare agencies.
A covered entity may disclose PHI to facilitate treatment, payment, or healthcare operations without a patient's express written authorization. Any other disclosures of PHI (Protected Health Information) require the covered entity to obtain written authorization from the individual for the disclosure. However, when a covered entity discloses any PHI, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose.
While the Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). The standards and specifications include: administrative safeguards, which include policies and procedures designed to clearly show how the entity will comply with the act; physical safeguards, which require controlling physical access to protect against inappropriate access to protected data; and technical safeguards, which require controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient. Entities that must comply with HIPAA requirements are referred to as covered entities.
As used in information security, Personally Identifiable Information (PII) is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. NIST Special Publication 800-122 defines PII as any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. For example, a user's IP address as used in a communication exchange is classed as PII regardless of whether it may or may not on its own be able to uniquely identify a person.
Although the concept of PII is old, it has become much more important as information technology and the Internet have made it easier to collect PII through breaches of internet security, network security and web browser security, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to plan a person's murder or robbery, among other crimes. As a response to these threats, many website privacy policies specifically address the collection of PII, and lawmakers have enacted a series of legislation to limit the distribution and accessibility of PII.
PII can include, for example:                Full name (if not common)        email address (if private from an association/club membership, etc.)        National identification number        IP address (in some cases)        Vehicle registration plate number        Driver's license number        Face, fingerprints, or handwriting        Credit card numbers        Digital identity        Date of birth        Birthplace        Genetic information        
The following are less often used to distinguish individual identity, because they are traits shared by many people. In general, these traits will not be considered PII. However, they are potentially PII, because they may be combined with other personal information to identify an individual.                First or last name, if common        Country, state, or city of residence        Age, especially if non-specific        Gender or race        Name of the school they attend or workplace        Grades, salary, or job position        Criminal record        
Protected Health Information (PHI) is any information about health status, provision of healthcare, or payment for healthcare that can be linked to a specific individual. This can be interpreted rather broadly and includes any part of a patient's medical record or payment history. PHI is often sought out in datasets for de-identification before researchers share the dataset publicly.
Under the US Health Insurance Portability and Accountability Act (HIPAA), PHI that is linked based on the following list of 18 identifiers must be treated with special care:                Names        All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and [t]he initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000        Dates (other than year) directly related to an individual        Phone numbers        Fax numbers        Email addresses        Social Security numbers        Medical record numbers        Health insurance beneficiary numbers        Account numbers        Certificate/license numbers        Vehicle identifiers and serial numbers, including license plate numbers        Device identifiers and serial numbers        Web Uniform Resource Locators (URLs)        Internet Protocol (IP) address numbers        Biometric identifiers, including finger, retinal and voice prints        Full face photographic images and any comparable images        Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data        